Ask the Expert: Enterprise IPv6 Deployment

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about deploying IPv6 in an enterprise environment with expert Chip Nielsen.

IPv6 is the latest revision of the Internet Protocol and is intended as a replacement for IPv4. As public IPv4 address space continues to be exhausted, IPv6 is becoming more important to the enterprise. In this session, we will discuss the current state of IPv6 deployment and how to deploy IPv6 in your network.

Chip Nielsen (CCIE no. 12369) is a network consulting engineer with Advanced Services Enterprise West. During his eight-year tenure at Cisco, Chip has worked on several global enterprise design and implementation projects. These projects ranged from IPv6 migration planning to provider-managed MPLS WAN design. As an IPv6 Forum Fellow, he has also participated extensively in the IPv6 Forum education programs. In addition, Chip is a proctor for the IPv6 Hands-On Lab at Cisco Live. Prior to Cisco, Chip held various enterprise/commercial consulting and engineering roles in his 14-year networking career.

Remember to use the rating system to let Chip know if you have received an adequate response.

Chip might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Network Infrastructure community, sub-community, IPv6 Integration and Transition discussion forum shortly after the event. This event lasts through February 28, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

Re: Ask the Expert: Enterprise IPv6 Deployment

Hi Jessica,

Thank you for your question. This topic comes up frequently when discussing IPv6.

It is possible to use only link-local addresses for routing within your network. Most IPv6 routing protocols use link-local for neighbor relationships by default. However, each router requires a loopback interface with a unique-local or global IPv6 address for management purposes. There are caveats to this deployment model:

Interfaces with link-local only cannot be pinged remotely.

Replies to traceroute packets cannot be sourced from the interface which might impact operations.

For routing protocols with static neighbors (e.g. BGP), configuration changes may be required if hardware is replaced and EUI-64 based link-local addresses are used.

NMS tools may have issues if they require a routable address on all interfaces.

In my experience, customer are deploying global IPv6 addresses on all infrastructure links for management reasons.

If you're interested, a recent internet draft (draft-ietf-opsec-lla-only-07) covers this topic in more detail.

Ask the Expert: Enterprise IPv6 Deployment

My organization was planning IPv4 to IPv6 transition of the complete network.

These are some details of the the connectivity used. (Also see the attached WAN diagram )

1. Site A, Site B and Site C are connected using MPLS VPN from two different ISPs.

2. Each Site have their own independent Internet connections from various ISPs.

3. LAN IPs are in the range of 10.0.0.0/8 and OSPF used inside LAN.

4. For internet at locations, various public IPs are given by the respective ISPs.

5. For MPLS, our router to PE router, 172.31.0.0 IPs are used and with BGP protocols.

6. A Structure of the WAN is attached with this. I am just showing three Sites for an example. Actually we have about 500+ Sites and we are using SAP ERP for the buisiness managment. Is there any effect of IPv6 on these ?

Questions:

1. Should I only do the transition in the public domain ? ( Each Site host some web applications with their own web servers with Public IPs from different ISPs ).

2. Should i change my complete 10.0.0.0 IPs to IPv6 ??

3. Since we are using different ISPs for intenet at Sites, should we use Provider independent IPv6 ?

4. Should I change the 172.31 IP used for eBGP connection with MPLS PE to be changed to IPv6 ?

5. I read that Dual Stack is a better solution. Where to activate Dual stack ? Is it in the routers or all the servers and PC accross the organization.

Ask the Expert: Enterprise IPv6 Deployment

1. Should I only do the transition in the public domain ? ( Each Site host some web applications with their own web servers with Public IPs from different ISPs ).

You can start with the edge and the public services as it tends to be the simplest deployment opportunity for IPv6. However, you should also plan for rolling out IPv6 internally. The timeframe may be longer, but having a cohesive IPv6 strategy for both environments is important.

2. Should i change my complete 10.0.0.0 IPs to IPv6 ??

This question goes along with both your previous question and question #4/#5. The reality is that IPv4 will be with us for a long time, so you won't be removing that private addressing just yet. However, I do recommend planning for a dual stack rollout within your internal network (i.e. IPv6 coexisting with existing IPv4 implementation).

3. Since we are using different ISPs for intenet at Sites, should we use Provider independent IPv6 ?

It depends on your Internet deployment model. Do you need to advertise the same IPv6 range from multiple locations for multi-homing purposes? If so, provider independent space is a better option. Some ISPs might allow you to advertise provider-assigned space from different providers, so you may want to investigate that if you are unable to acquire PI space.

4. Should I change the 172.31 IP used for eBGP connection with MPLS PE to be changed to IPv6 ?

No, the existing IPv4 eBGP peering should not be changed. In a dual stack MPLS-based WAN, you will have an IPv4 eBGP peer and an IPv6 eBGP peer.

5. I read that Dual Stack is a better solution. Where to activate Dual stack ? Is it in the routers or all the servers and PC accross the organization.

Dual stack is the preferred method for migration from IPv4 to IPv6.With proper planning, deploying dual stack IPv6 on your network infrastructure is fairly straight forward. Many customers start by deploying IPv6 in the core and then working out towards the edge of the network.

In your case, you'll need to work with your MPLS providers to verify if they support IPv6.

Servers and PCs represent a bigger challenge that the network due to application issues. It's important to engage the application teams and work with your vendors (e.g. SAP) to validate IPv6 support. In most cases, IPv6 rollout should not impact your IPv4-based applications though.

I recommend visiting ciscolive365.com and checking out the many great IPv6 presentations by my colleagues here at Cisco. There are sessions covering deployments such as yours that should help you in your planning.

Re: Ask the Expert: Enterprise IPv6 Deployment

Hello Chip,

Thanks for the reply.

I want some more clarity regarding which IPv6 address to use.

1. Since each of the my Sites use different ISP, Each ISP gives different IPv6 prefixes. So all the sites will be having different IPv6 prefix ,which will be difficult to manage. So can I use Unique Local Address (ULA FC00::/7 ) for my Sites and use NAT64 at internet edge. Is this method recommended ? ( I think my Management wont recommend any PI prefix )

Re: Ask the Expert: Enterprise IPv6 Deployment

How to handle multi-site provider-aggregated prefixes is one of the biggest pain points in IPv6, not that it isn't equally painful in IPv4. Another big pain is multiple ISPs for a single site, ditto. There are various things people have tried, all with pro's and con's:

a) Live with the multiple prefixes, which works, but is a nuisance to document & route.

b) Big organizations can get provider-independent space; the University of Wisconsin-Madison is on its 3rd IPv6 prefix (the trajectory was 6bone prefix, PA prefix, PI prefix), after deciding they needed to do this and getting a /32. Makes in the in-house routing easy, but complicates peering and relationships with providers.

c) If all of your ISP's are toying with Cisco's experimental Location-ID separation protocol, get the PA address space from the provider of your biggest sites, and have the other ISP's tunnel your traffic. Nice for the customer, but hard to negotiate.

d) Use ULA's internally, with Cisco's experimental NAT66 prefix substitutions at the border. Beware! A lot of clients get horribly confused about which source address to use if they have both an fc00::/7 ULA prefix and a 2000::/3 global unicast prefix. Also, the NAT66 is header only, so v6 payloads with embedded addresses will break.

I'm squatting on a fair amount of public v4 and native v6, so I'm the wrong person to ask about NAT64, sorry.

Re: Ask the Expert: Enterprise IPv6 Deployment

Hi Irfan,

Jim has done an excellent job of laying out the options.

This particular scenario requires NAT66/NPTv6 and not NAT64. However, the IPv6 community tends to steer people away from ULA with NPTv6 at the edge. One of the primary goals of IPv6 is restoring end-to-end connectivity and removing the requirement for NAT. With that in mind, global addressing is the preferred method. Whether that model is achievable in all scenarios remains to be seen and I expect we'll see more best practices developed as IPv6 deployment continues.

Currently, the Cisco ASA is the only Cisco platform that supports NAT66. However, NPTv6 is on the roadmap for IOS.

Ask the Expert: Enterprise IPv6 Deployment

Hi John,

That's a tough question.

I'm aware of enterprise customers with aggressive timelines for native IPv6 in the next 3-5 years. For commercial and small enterprise, the timeline will probably be longer. However, I've never been much of a prognosticator.

With a combination of dual stack and minimal use of translation, a graceful transition should be achievable.A "lights off" transition may occur in internal networks due to the operational overhead of dual stack. That scenario is much less likely for the Internet though.

Ask the Expert: Enterprise IPv6 Deployment

Chip,

Thanks for the reply. Another question I have is with networks that use encryptors such as Taclanes, how would this transition affect them? Would the Taclanes have to support IPv6 as well? Would all devices enterprise wise have to support IPv6?

We are having issues with a WS-C2960X-48FPD-L running IOS 15.2(2)E7. Some ports are simply not working. We had POE issues on some of the ports and decided to upgrade to hopefully resolve those issues but this has now become an even bigger issu...
view more

the scenario is :I'm replacing core Cisco switch 4506-E with switch 4507R-E. As I have one supervisor card on 4506-E and I'm going to take out all the card that I have in 4506-E and install it in the new 4507R-E. On the 4507R-E I have 2 slots for the supe...
view more

Since its release in August of 2019, the SASE report released by Gartner has generated a lot of chatter regarding what SASE is all about. People are wondering whether it will be disruptive to the current network and network security designs and are curiou...
view more

I tried to setup a virtual environment with 2960 switches and 2911 Router. In one part of the network where I connected PCs directly to the 2911 Router, I was able to communicate to the attached devices, having configured static route. In the th...
view more